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Military  technology  can  be  compromised  following  foreign  sales  to  an  ally, 
accidental  loss,  or  capture  during  a  conflict  by  an  enemy.  Because  U.S. 
military  hardware  and  software  have  a  high  technical  content  that  provides  a 
qualitative  edge,  protection  of  this  technological  superiority  is  a  high  priority. 
Program  managers  can  mitigate  such  risks  with  a  relatively  new  set  of 
technologies  inclusively  known  as  "anti-tamper."  Program  managers  need 
to  know  the  state  of  the  art  in  anti-tamper  technology  and  of  the  emerging 
DoD  and  U.S.  Air  Force  policy  on  its  use.  This  article  covers  anti-tamper 
policies;  explains  how,  where,  and  when  to  insert  these  technologies;  and 
describes  some  anti-tamper  technologies  now  in  use. 


At  a  time  of  some  future  conflict  The 
Ops  Center  was  alive  with  the  buzz 
created  from  the  most  recent  news 
flash.  The  first  loss  in  the  war  of  a  Ban¬ 
shee  UCAV  (uninhabited  combat  air 
vehicle)  was  causing  a  bit  of  consterna¬ 
tion.  The  loss  itself  was  unfortunate 
enough,  although  some  were  taking  solace 
from  the  fact  that  it  didn’t  come  about  as 
a  result  of  enemy  fire.  Instead,  a  failure  of 
some  sort — likely  an  engine  malfunc¬ 
tion — had  resulted  in  the  aircraft  going 
down  while  on  a  deep  strike  escort  mission. 


While  the  continued  conduct  of  the 
strike  occupied  the  thoughts  and  energy 
of  most  in  the  room,  a  small  contingent 
was  crowded  around  a  screen  where  the 
latest  overhead  imagery  was  being  dis¬ 
played.  The  initial  reaction  was  one  of 
surprise  and  then  muted  murmurings.  If 
the  imagery  was  to  be  believed,  it  was 
showing  that  the  aircraft  had  survived  the 
resulting  crash  in  rather  good  condition. 
Although  most  of  the  nose  and  control 
surfaces  were  damaged  beyond  repair,  the 
fuselage  itself  was  fairly  intact.  One  side- 
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bay  weapons  door  appeared  to  be  flung  to 
the  side  and  there  on  the  ground  in  full 
view  was  an  advanced  AIM- 172  air-to-air 
missile.  And  apparently  it  was 
undamaged! 

This  new  missile  variant  had  been  de¬ 
veloped  in  response  to  the  latest  electronic 
countermeasures  (ECM)  deployed  on  the 
enemy’s  fighters  and  now  it  appeared  he 
was  going  to  gain  access  to  the  missile 
intact.  While  the  new  missile’s  capabili¬ 
ties  against  ECM  were  judged  very  effec¬ 
tive,  they  were  considered  “fragile”  be¬ 
cause  they  depended  heavily  on  special 
software  algorithms  contained  in  the 
missile’s  processor.  If  the  enemy  were  able 
to  recover  the  processor  and  download  the 
operational  flight  program  (OFF)  contain¬ 
ing  these  algorithms,  then  as  everyone 
knew,  his  ECM  system  could  be  easily 
updated  to  defeat  the  missile.  The  air  su¬ 
periority  that  had  been  gained  over  the  past 
few  days  of  the  war  would  be  jeopardized 
very  quickly. . . . 

While  this  scenario  at  first  blush  might 
appear  to  be  the  stuff  of  science  fiction,  it 
is  a  vital  concern  today.  The  loss  or  com¬ 
promise  of  critical  U.S.  technologies  is  a 
constant  threat  and  one  that  our  operational 
forces  take  very  seriously.  Unfortunately, 
protection  of  our  weapon  systems  through 
inherent  design  has  not  been  the  standard 
practice  for  industry  weapons  makers  nor 
of  their  government  partners,  that  is,  our 
fellow  acquisition  program  managers. 
However,  changes  in  technology,  in  the 
military  and  political  environments,  and 
in  defense  acquisition  policies  favor  an 
approach  to  weapons  systems  develop¬ 
ment  that  addresses  this  potential  weak¬ 
ness.  The  name  for  this  new  approach  is 
“anti-tamper.” 


What  is  Anti-Tamper?  Why  Have  It? 

Anti-tamper  (AT)  is  defined  as  the  sys¬ 
tems  engineering  activities  intended  to 
prevent  or  delay  exploitation  of  essential 
or  critical  technologies  in  U.S.  weapon 
systems.  According  to  Department  of 
Defense  (DoD)  5200. 1-M,  an  essential  or 
critical  technology  is  one  that  “if  compro¬ 
mised  would  degrade  eombat  effective¬ 
ness,  shorten  the  expected  combat- 
effective  life  of  the  system,  or  significantly 
alter  program  direction.”  Access  to  such 
information  could  force  undesirable 
changes  to  tactics  and  concepts  of  opera¬ 
tions  (conops),  premature  retirement  of  a 
weapons  system,  or  major  system  design 
changes  to  regain  some  level  of  effective¬ 
ness. 

The  use  of  AT  protective  techniques  will 
vary  depending  on  the  technology  being 
protected.  For  example,  state-of-the-art 
technology  of  a  critical  nature  typically 
requires  more  sophisticated  AT  applica¬ 
tions.  Some  examples  of  AT  techniques 
include  software  encryption,  integrated 
circuit  protective  coatings,  and  hardware 
access  denial  systems. 

Until  most  recently,  documented  U.S. 
defense  policies  say  little  specifically  about 
AT.  Accordingly,  there  has  been  limited 
motivation  for,  knowledge  of,  or  enthusi¬ 
asm  by  program  managers  to  incorporate 
AT  techniques  into  the  weapon  systems 
whose  development  they  oversee. 

We  believe,  however,  that  even  with¬ 
out  specific  language  mandating  the  use 
of  AT  techniques,  the  direction  that  has 
existed  provides  ample  reason  for  program 
managers  to  consider  incorporating  them. 
For  an  example  of  such  direction  we  need 
look  no  further  than  DoD  5200. 1-M, 
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which  says  in  part  that  program  managers 
are  to  “selectively  and  effectively  apply 
security  countermeasures  to  protect  essen¬ 
tial  technology.”  The  manual  emphasizes 
that  such  countermeasures  are  “required 
to  prevent  foreign  intelligence  collection 
and  unauthorized  disclosure  of  essential 
program  information,  technology,  and/or 
systems.”  Furthermore,  this  protection  is 
“mandatory  for  use  by  all  of  the  DoD 
components.” 

Now  one  might  argue  that  the  manual’s 
original  intent  in  making  these  statements 
was  solely  to  focus  our  community  on  the 
importance  of  developing  a  robust  program 
protection  plan  that  affords  adequate 
acquisition  program  protection.  The  pro¬ 
gram  protection  plan  defines  and  refines 
a  system  security  baseline  for  the  imple¬ 
mentation  of  security  countermeasures  and 
to  man-age  security  costs  as  well  as  risks 
through-out  the  life  cycle  of  the  system. 
Program  protection  planning  provides 
program  managers,  system  managers,  and 
users  with  an  overall  view  of  system-specific 
threats. 

Traditionally,  the  program  protection 
plan  has  been  interpreted  to  mean  a  set  of 
processes  and  infrastructure  that  guard  or 
limits  the  exposure  of  information  about 
critical  technologies  or  operational 
employment  schemes  during  the  develop¬ 
ment  and  initial  fielding  phases  of  a 
system’s  life  cycle.  Such  a  perspective  is 
true  enough,  but  incomplete.  It  fails  to 
recognize  the  cradle-to-grave  perspective 
that  acquisition  personnel  are  to  take  when 
developing  a  new  weapon  system  and 
sustaining  it. 

As  defined  by  DoD  5200. 1-M,  acqui¬ 
sition  program  protection  “integrates  all 
security  disciplines,  counterintelligence, 
and  other  defensive  methods  to  deny 


foreign  collection  efforts  and  prevent 
unauthorized  disclosure  to  deliver  to  our 
forces  uncompromised  combat  effective¬ 
ness  over  the  life  expectancy  of  the  sys¬ 
tem”  (emphasis  added).  Obviously,  from 
this  last  statement,  it  is  clear  that  protec¬ 
tion  of  critical 
technologies 
extends  well 
into  the  deploy¬ 
ment  phase  of  a 
weapon  system 
and  even  unto 
its  retirement. 

Thus,  we  argue 
that  a  broader  , 
interpretation  of 
DoD  guidance  is  perfectly  legitimate  and 
within  the  spirit  and  intent  of  the  origina¬ 
tors  of  these  directives.  Despite  these 
arguments,  it  is  clear  from  the  current  situ¬ 
ation  that  such  an  interpretation  does  not 
flow  down  into  program  development 
strategies. 

Why  Emphasize  Anti-Tamper  Now? 

The  primary  goal  of  AT  techniques  is 
to  protect  the  combat  advantage  of  the 
U.S.  warfighter.  This  goal  is  accomplished 
by  inhibiting  exploitation  and  the  devel¬ 
opment  of  countermeasures  against  critical 
U.S.  technologies. 

Within  the  past  few  years,  U.S.  policy 
has  strongly  encouraged  the  sale  or  trans¬ 
fer  of  certain  military  equipment  to  allied 
and  friendly  foreign  governments.  Increas¬ 
ingly,  this  equipment  contains  the  latest 
in  U.S.  technological  advances.  Whereas 
in  the  past,  U.S.  policy  has  been  relatively 
reluctant  to  permit  such  sales,  the  current 
cost-conscious  environment  motivates  the 
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The  introductian  of  the  AIIVI-9  aii^to-air  trissile  prouided  a 
perfartranae  advantage  that  far  exceeded  itsU.&  designers' 

expedatians. 


leveraging  of  reduced  unit  prices  that  is 
afforded  by  increased  production  quanti¬ 
ties.  Additionally,  the  DoD  is  seeking 
increased  foreign  participation  in  acqui¬ 
sition  programs  from  the  requirements 
definition  phase  through  production,  field¬ 
ing,  and  life-cycle  management.  While 
these  efforts  have  the  potential  to  enhance 
interoperability,  standardization,  and  com¬ 
monality,  reduce  unit  costs,  and  strengthen 
U.S.  industry,  they  also  risk  making 
critical  U.S.  technologies  vulnerable  to 
possible  exploitation. 


Another  threat  that  increases  the  oppor¬ 
tunities  for  exploitation  is  the  increased 
exposure  of  U.S.  weapons  and  the  tech¬ 
nologies  they  contain  during  contingency 
operations.  As  has  been  widely  reported, 
U.S.  forces  are  now  deploying  abroad  at  a 
much  higher  rate  than  at  any  time  during 
the  Cold  War.  Invariably,  as  was  demon¬ 
strated  by  the  shootdown  of  Capt  Scott 
O’Grady,  military  systems  will  be  lost  in 
battle  or  by  accident.  There  is  no  guaran¬ 
tee  that  such  losses  will  be  mitigated  by 
damage  to  the  equipment  and  in  most 


TheSoiiiets  mere  able  to  acqure  the  AIM-9  aii^to-air  trissile 
technology  and  qLiddy  reverse-engneer  it  into  an  AIIVI-9  done. 
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cases  we  must  make  the  assumption  that 
such  systems  have  been  compromised. 

Lastly,  the  threat  of  espionage  has  not 
withered  with  the  demise  of  the  former 
Soviet  Union.  In  fact,  the  “rainbow  threat” 
makes  counter-espionage  activities  even 
more  difficult  today  than  during  the  Cold 
War.  Still,  our  experiences  during  that 
period  provide  ample  evidence  that  our 
technological  advantages  can  be  compro¬ 
mised.  As  an  example,  the  Journal  of  Elec¬ 
tronic  Defense  reports  that  in  the  1950s 
the  introduction  of  the  AIM-9  air-to-air 
missile  provided  a  performance  advantage 
that  far  exceeded  its  U.S.  designers’ 
expectations.  Yet  the  Soviets  were  able  to 
acquire  the  technology  inherent  in  this 
missile  and  quickly  reverse-engineer  it 
into  an  AIM-9  clone  known  by  the  NATO 
code  name  of  AA-2  “Atoll”  (Taylor,  1999). 


INCORPORATIMG  AWTI-TAMPER _ 

The  process  for  incorporating  AT  tech¬ 
niques  rests  upon  the  firm  foundation  of 
the  systems  engineering  discipline.  As 
with  all  complex  engineering  tasks,  if  one 
is  to  succeed  in  developing  a  solution  to 
satisfy  some  need,  the  need  itself  must  be 
thoroughly  understood  and  properly  trans¬ 
lated  into  performance  and  technical 
requirements.  The  means  by  which  we 
determine  what,  if  any,  AT  techniques 
should  be  incorporated  into  a  weapon 
system  and  how  is  no  different.  Figure  1 
illustrates  the  process  for  determining  AT 
requirements. 

The  process  of  interest  can  be  divided 
into  two  main  parts:  the  front  half,  which 
involves  developing  an  estimate  of  the 
means  and  probability  of  exploitation,  and 


Develop  an  Exploitation  Estimate  Without  Anti-Tamper 
SPO/Contractors/Exploiters  Determine  if  Project  Needs  Protection  and  Amount 


Identify  the 
threats 


Identify  the 
vulnerabilities 


•  Performance 

>  Hardware 

>  Software 


•  Exploit  to  defeat  •  Performance 

•  Exploit  to  improve  •  Hardware 

•  Exploit  to  transer  •  Software 
technology 


Identify  attack 
scenario 


•  Performance 

•  Hardware 

•  Software 


_ ^  Final 

requirement^ 
,and  soiutidn  set^ 
—  to  SPD 


Identify  Impacts 
if  exploited 


•  Lost  capabilities 

•  Cost  to  develop 

•  New  capabilities 


identify  new 
exploitation 

I  timeline  to  . 

minimize  impacts  I 

•  Cost  to  exploit 
•  Changing 
technology 


Determine  Appropriate  Solution  to  Meet  the  Need(s) 


Identify  the 

Select 

available 

potential 

■> 

countermeasures 

countermeasures 

Identify  the  specific 
issues  related  to  each 
countermeasure 


Downselectto 
recommended 
solution  sets 


•  Technologies  •  Systems  •  Cost 

•  Products  •  Hardware  •  Schedule 

•  Software  •  Weapon  system  and  security  performance 

•  Producibllity/rellability/maintainablllty/safety/etc. 

•  Production  lot  phasing 

•  Risks 


Finales. 

/requirement^ 
,^nd  solution  sets^ 
to  SPD 


Figure  1.  Deteminirig  AnQ-Tarrper  Requrerrents 


359 


Acquisition  Review  Quarteriy—Fall  1999 


the  back  half,  where  one  determines  an 
appropriate  solution  to  the  need  once  it 
has  been  properly  characterized.  The 
first  main  part  is  depicted  in  the  top  half 
of  Figure  1  and  consists  of  six  steps. 
These  first  six  steps  are  usually  performed 
by  the  contractor  in  cooperation  with 
government  engineers. 

The  first  of  these  steps  is  to  identify 
the  critical  technologies  that  are  under 
consideration  for  design  into  a  weapon 
system.  What  constitutes  a  “critical  tech¬ 
nology”  was  defined  earlier.  Critical 
technologies  include  both  software  and 
hardware.  Once  these  technologies  have 
been  identified,  the  “threats”  to  them  are 
usually  ascertained  through  some  process 
involving  “red-teaming”  or  scrutiny  by 
those  experts  in  friendly  and  adversarial 
exploitation.  This  step  consists  not  only 
of  identifying  who  might  be  interested  and 
capable  of  exploiting  identified  critical 
technologies,  but  why  and  how  they  might 
be  exploited.  Technologies  can  be 
exploited  to  determine  how  they  can  be 
defeated  or  how  they  can  be  reengineered 
and  improved  upon. 

According  to  DoD  5200. 1-M,  when  a 
program  contains  critical  technologies  that 
may  require  protection; 

...a  multidisciplinary  counterin¬ 
telligence  threat  assessment  and 
a  risk  assessment  are  conducted. 
These  assessments  provide  the 
basis  for  any  decision  pertaining 
to  the  protection  of  the  [critical 
technologies]  as  part  of  the  over¬ 
all  risk  management  strategy  and 
the  implementation  of  cost-effec¬ 
tive  risk  mitigation  measures  (i.e., 
countermeasures) . 


It  is  important  to  emphasize  here  that 
as  the  DoD  manual  implicitly  recognizes, 
there  exists  no  need  to  consider  the  incor¬ 
poration  of  AT  techniques  absent  a  criti¬ 
cal  technology  or  threat.  Only  those  sys¬ 
tems  that  contain  critical  technology  need 
go  through  this  process. 

The  next  two  steps  consist  of  identify¬ 
ing  both  vulnerabilities  of  critical  tech¬ 
nologies  to  exploitation  and  the  actual 
means  by  which  they  might  be  exploited. 
Again,  these  assessments  must  look  to  the 
hardware  and  software  aspects  of  a  sys¬ 
tem  and  their  relationship  to  system  per¬ 
formance.  These  steps  are  critical  to  the 
design  efforts  going  into  the  weapon  sys¬ 
tem  proper,  since  they  usually  indicate  if 
and  where  measures  must  be  taken  to  pro¬ 
tect  the  constituent  critical  technologies. 
Performing  these  steps  may  also  provide 
important  insights — for  example,  that  ex¬ 
ploitation  may  be  possible  but  very  diffi¬ 
cult.  This  information  can  be  extremely 
useful  for  tradeoffs  to  be  conducted  later 
in  the  process. 

While  understanding  how  a  critical 
technology  can  be  exploited  is  very 
insightful,  so  is  projecting  what  the 
impacts  would  be  if  exploitation  efforts 
were  indeed  successful.  For  example,  if  a 
critical  technology  is  exploited,  it  may 
result  in  countermeasure  developments 
that  render  the  weapon  system  perfor¬ 
mance  inadequate  to  do  the  job.  By  the 
same  token,  exploitation  may  not  result 
in  lost  capability  if  other  factors  are 
important  to  the  realization  of  a  weapon 
system’s  full  performance  potential. 
Another  factor  that  should  be  considered 
is  the  cost  to  develop  replacement  tech¬ 
nology  or  to  find  other  means  to  regain 
lost  military  advantage.  Such  data  can  be 
important  for  determining  if  the  cost  of 
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incorporating  protective  schemes  are  development  process,  the  AT  requirement 

worthwhile  compared  to  the  cost  of  should  not  be  considered  absolute,  but  is 

measures  that  must  be  taken  once  a  something  that  must  be  balanced  with 

technology  is  compromised.  cost,  schedule,  and  military  utility.  Anti- 

The  last  step  in  the  front  half  of  the  tamper  is  not  immune  to  tradeoffs  that 

requirements  process  is  to  assess  possible  must  be  made  as  mandated  by  the  policy 

exploitation  timelines  that  serve  to  miti-  of  cost  as  an  independent  variable  (CATV), 

gate  the  need  for,  or  required  amount  of.  The  second  main  part  or  back  half  of 
AT  necessary  for  a  weapon  system.  To  the  requirements  process  consists  of  four 

illustrate,  consider  the  impact  of  the  pace  steps.  The  first  of  these  is  to  identify  AT 

of  technological  advancement  in  the  techniques  that  are  available  to  counter  the 

microprocessor  field.  When  a  certain  exploitation  threats.  The  nature  of  the  criti- 

microprocessor,  let  us  say  an  application-  cal  technologies  requiring  protection  will 

specific  integrated  circuit  (ASIC),  is  naturally  provide  a  first  filter  for  those 

designed  into  a  weapon  system,  it  may  techniques  that  may  have  application.  At 

indeed  represent  a  critical  technology.  But  this  stage  the  alternatives  being  consid- 

when  one  considers  that  similar  commer-  ered  may  be 

cial  technology  will  match  and  overcome  quite  different ; 

the  ASIC’s  performance  capabilities  even  if  they  "Like  all 

within  3  to  5  years,  it  may  not  make  much  have  the  same  rec|uiremBr*s  in 

sense  to  invest  heavily  in  its  protection  end  result,  that  weapon  system 

through  AT.  The  technological  advantage  is,  to  inhibit  ex-  ^  dowdcjpnei* 
will  be  lost  in  a  relatively  short  amount  of  ploitation.  The 

time  through  means  available  on  the  open  second  step  is  to  ijiUittl 

market.  select  a  prelimi-  n 

In  contrast,  consider  the  case  of  pro-  nary  set  of  po- 

tection  of  software  through  encryption.  tential  counter- 

Use  of  more  sophisticated  means  for  measures  that  are  identified  for  more  in¬ 
encryption  may  not  render  a  software  code  depth  analysis.  This  first  “cut”  can  usu- 

absolutely  secure,  but  it  might  increase  the  ally  be  accomplished  by  eliminating  those 

time  it  takes  to  break  the  encryption  code  options  whose  affordability  or  efficacy  are 

by  an  order  of  magnitude — ensuring  that  clearly  unattractive  compared  to  the  other 

the  weapon  cannot  be  exploited  during  its  options.  Typically  a  top-level  look  at  the 

expected  life.  (A  bit  more  detail  on  this  countermeasures  proposed  will  surface 

form  of  AT  will  be  discussed  below.)  relative  strengths  and  weaknesses  that 

Again,  such  information  becomes  very  facilitate  this  initial  tradeoff, 

important  in  the  tradeoff  process  for  During  the  third  step  a  traditional  engi- 
choosing  and  incorporating  affordable  AT  neering  design  analysis  is  conducted  in 
techniques .  which  all  considerations  are  accounted  for 

Once  the  first  six  steps  of  the  process  and  evaluated.  On  the  weapon  system 

are  complete,  then  a  preliminary  require-  design  side  such  considerations  include 

ment  for  AT  can  be  stipulated.  Like  all  life-cycle  cost,  implications  for  schedule 

requirements  in  the  weapon  system  (both  development  and  production). 
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impact  on  weapon  system  performance, 
ease  of  manufacture,  reliability  and  main¬ 
tainability,  and  safety.  But  a  proper  analy¬ 
sis  also  accounts  for  the  relative  merit  of 
an  AT  technique  for  inhibiting  exploi¬ 
tation,  the  anticipated  timeline  and  cost 
that  exploitation  efforts  will  take,  and  the 
likely  time-frame  over  which  the  technolo¬ 
gies  to  be  protected  will  remain  critical  or 

essential.  For 


"Tlie  last  step  in 
the  AT  reqtirements 
process  is  final 
seledian  of  the 
favored  solutian 
set.'' 


example,  if  a 
program  only 
gains  five  years 
of  protection 
from  AT  for  a 
$10  million  in¬ 
vestment  and 


the  program  is 
only  spending  $50  million  on  the  entire 
RDT&E  process,  one  may  question  the 
wisdom  of  spending  the  additional  20  per¬ 
cent  for  such  limited  results.  However,  if 
that  same  technique  could  give  another 
program  10  years  of  protection  for  the 
same  cost  and  if  the  total  program  budget 
is  larger,  then  the  relative  benefit  appears 
much  more  attractive. 


To  systems  engineers,  this  evaluation 
methodology  is  nothing  new  or  unfamil¬ 
iar.  It  simply  incorporates  another  “per¬ 
formance”  requirement  that  is  subject  to 
the  same  kinds  of  analyses  and  tradeoffs 
that  they  are  used  to  making.  It  may 
make  final  design  choices  a  bit  more 
complex,  but  it  is  no  less  subject  to  CAIV 
considerations  as  any  other  decision  in  the 
engineering  design  process. 

The  last  step  in  the  AT  requirements 
process  is  final  selection  of  the  favored 
solution  set.  This  solution  may  not  be 
unique;  another  choice  may  achieve 
similar  results  at  a  similar  cost.  The 


dimension  that  wins  the  day  may  not  be 


intuitively  obvious,  and  that  is  why  a  thor¬ 
ough  analysis  should  not  be  overlooked. 
It  does  little  good  to  protect  one  avenue 
of  exploitation  if  another  is  left  open.  As 
the  adage  goes,  putting  a  special  lock  or 
bolt  on  the  outside  of  the  front  door  will 
not  protect  the  back  gate. 

Anti-Tamper  Techniques _ 

For  self-evident  reasons,  a  detailed 
description  of  AT  techniques  can  not  be 
presented  in  an  unclassified  forum.  It  is 
U.S.  policy  to  acknowledge  that  AT  tech¬ 
niques  are  incorporated  into  the  designs 
of  its  weapon  systems,  but  to  say  nothing 
of  their  detailed  nature.  Many  techniques 
are  “fragile”  in  that  the  very  knowledge 
of  their  specific  application  to  protect  a 
particular  technology  will  greatly  aid  the 
exploitation  process.  No  AT  technique  is 
fool-proof,  and  it  defeats  the  purpose  of 
incorporating  it  if  an  adversary  is  tipped 
off  to  what  he  is  dealing  with  as  he 
attempts  to  exploit  the  technology  that  has 
fallen  into  his  hands.  Since  these  tech¬ 
niques  are  not  fool-proof,  an  “onion  lay¬ 
ered”  approach  may  be  necessary.  Gener¬ 
ally  speaking,  overlaid  techniques  provide 
more  robust  protection. 

Nevertheless,  it  is  possible  to  list  a  few 
generic  examples  that  illustrate  the  kinds 
of  options  available  to  the  program  man¬ 
ager.  These  examples  include; 

•  nonetchable  thin  opaque  coatings 

applied  to  semiconductor  wafers; 

•  self-destructing  components;  and 

•  cryptography  to  include  encryption  and 

decryption. 
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Coatings  serve  to  make  it  very  difficult 
to  extract  or  dissect  microelectronic  com¬ 
ponents  without  greatly  damaging  them 
in  the  process.  Self-destructing  compo¬ 
nents  may  seem  akin  to  the  assignment 
tapes  from  the  Mission  Impossible  series, 
yet  in  their  essential  respects  they  really 
are  no  different.  After  use  or  when  exposed 
to  certain  environments,  devices  employ¬ 
ing  this  form  of  AT  damage  themselves 
beyond  reconstruction.  However,  a  lesson 
learned  from  this  technique  is  that  employ¬ 
ing  it  can  have  important  implications  for 
system  operation  and  maintenance.  For 
instance,  if  a  system  needs  to  go  to  a  depot 
for  repairs,  it  may  be  difficult  to  remove  a 
cover  or  open  a  lid  if  an  explosive  is 
primed  and  ready  to  erupt  upon  doing  so. 

We  can  examine  the  last  example — 
encryption — in  more  detail  because  it  is  a 
common  technique  found  in  the  commer¬ 
cial  as  well  as  military  world  to  protect 
software  code  and  various  forms  of  com¬ 
munication.  Encryption  can  be  defined  in 
simple  terms  as  the  scrambling  of  instruc¬ 
tions  to  make  them  unintelligible  without 
first  being  reprocessed  through  some  sort 


of  deciphering  technique.  Anyone  look¬ 
ing  at  encrypted  data  sees  only  cipher  text, 
that  is,  a  bunch  of  nonsense  letters,  nu¬ 
merals  and  symbols.  The  mathematical 
formula  for  accomplishing  the  decipher¬ 
ing  process  is  an  algorithm  that  takes  time 
to  solve.  Depending  to  some  degree  on 
the  type  of  algorithm  used,  the  larger  the 
number  of  bits  used  in  the  encryption  pro¬ 
cess,  the  longer  the  time  it  will  take  to 
complete  the  deciphering  process.  The 
adjacent  table  provides  some  insight  into 
the  nature  of  this  relationship  (Krey,  1997). 
Obviously,  in  this  example,  the  bit  length 
the  designer  will  shoot  for  will  depend  on 
what  the  technology  will  support  for  a 
given  engineering  application,  the  associ¬ 
ated  cost,  the  nature  of  the  exploitation 
threat,  and  the  anticipated  time  the  pro¬ 
tected  information  is  expected  to  remain 
critical. 

Lessons  Learned 


A  number  of  acquisition  programs  have 
already  embraced  AT  techniques  to  make 


Table  1. 

Cbde  &'ealdng  Times 

No.  of  bits 

Time 

40 

2  seconds 

56 

35  hours 

64 

1  year 

80 

70,000  years 

112 

10’“  years 
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their  weapon  systems  more  secure.  Such 
action  has  facilitated  the  process  to  per¬ 
mit  sales  of  these  systems  to  allies  and 
other  foreign  customers.  One  of  the  les¬ 
sons  learned  from  these  programs  is  that 
incorporation  of  AT  after  the  system  de¬ 
sign  has  been  frozen  is  extremely  expen¬ 
sive.  It  is  not  that  all  AT  techniques  are  in 
themselves  expensive,  but  their  afford¬ 
ability  is  critically  dependent  on  when  they 
are  introduced  into  the  design  process.  If 
AT  is  treated  as  a  performance  require¬ 
ment  from  the  beginning,  it  is  much  easier 
and  cost-effective  to  incorporate  as 
compared  to  “bolting  it  on”  later. 

Another  lesson  learned  is  that  system 
engineers  should  thoroughly  explore  the 

use  of  existing 
AT  applications 
before  commit¬ 
ting  to  develop¬ 
ment  of  a  brand 
new  technique. 
Such  “re-use” 
will  often  fulfill 
a  requirement 
and  obviate  the 
need  to  “rein¬ 
vent  the  wheel.”  For  example,  algorithms 
used  for  encryption  can  be  modified 
slightly  to  provide  a  completely  different 
type  of  protection  than  was  originally 
envisioned. 

Still  another  lesson  learned  is  that  many 
program  managers  will  not  address  AT 
concerns  unless  the  need  is  specified  within 
program  management  directives  or 
operational  requirements  documents. 

Unfortunately,  few  have  arrived  at  the 
enlightened  position  that  AT  is  a  viable 
option  to  fulfill  broadly  applicable  pro¬ 
gram  protection  policies.  The  short-term 
answer  to  this  dilemma  is  to  have  the 


"Unfortunately^  few 
haue  arrived  at  the 
enlightened  position 
that  AT  is  a  viable 
option  to  fiifill 
broadly  applioable 
program  protection 
polidesL'' 


operational  requirements  development 
community  specify  the  need  to  protect 
critical  technologies  inherent  in  weapon 
systems  from  compromise  or  reverse 
engineering.  Alternately,  the  program 
management  directives  can  be  used  to  task 
program  managers  to  do  the  same.  Unfor¬ 
tunately,  these  actions  may  be  the  only 
way  to  ensure  adoption  of  AT  techniques 
until  they  enjoy  more  widespread 
acceptance. 


Policy  Update 


A  big  boost  for  tbe  AT  cause  came  about 
on  February  11,  1999,  when  Jacques 
Gansler,  Assistant  Secretary  of  Defense  for 
Acquisition  and  Technology,  signed  out  a 
memorandum  fostering  implementation  of 
AT  techniques  in  military  acquisition 
programs  (1999): 


The  Department  seeks  to  preserve 
the  U.S.  and  [friendly]  Foreign 
Governments’  investment  in  criti¬ 
cal  technologies  through  imple¬ 
mentation  of  Anti-Tamper  (AT) 
techniques  and  practices... Anti- 
Tamper  is  based  on  existing 
DoD5200.1M  program  security 
requirements...  Once  [a  new 
policy  is]  approved,  AT  will  be  in¬ 
corporated  in  new  programs  and 
modifications  to  programs  where 
appropriate. 


The  memo  stipulates  that  the  director 
for  Strategic  and  Tactical  Systems  (S&TS) 
is  to  assume  Office  of  the  Secretary  of 
Defense  oversight,  coordination,  and 
policy  responsibilities  for  AT  within  the 
DoD.  The  memo  further  directs  that  S&TS 
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convene  an  integrated  product  team  to 
prepare  a  DoD  AT  policy.  Additionally, 
Service,  U.S.  Special  Operations  Com¬ 
mand,  Ballistic  Missile  Defense  Organi¬ 
zation,  and  Agency  acquisition  executives 
are  to  assess  all  acquisition  category 
weapon  system  programs  to  determine  the 
extent  of  AT  implementation  and  to  report 
on  their  observations. 

In  parallel,  efforts  are  under  way  to 
revise  DoD  5000. 1-M  to  explicitly  state 
that  program  managers  will  assess  AT  for 
incorporation  into  their  weapon  system 
acquisitions  as  part  of  the  program  secu¬ 
rity  process.  Once  accomplished,  program 
managers  may  elect  not  to  incorporate  AT 
techniques  into  their  weapons  develop¬ 
ments,  but  the  onus  will  be  on  them  to 
demonstrate  why  and  how  they  intend  to 
address  the  exploitation  threat. 


SUMIVIARY 


From  the  foregoing  discussion  it  should 
be  clear  that  the  incorporation  of  AT 
techniques  provides  significant  benefits. 

•  Anti-tamper  prevents  or  mitigates  the 
unauthorized  or  inadvertent  disclo¬ 
sure  of  U.S.  technology  as  well  as  its 
exploitation. 

•  Anti-tamper  protects  the  U.S. 
warfighter  from  countermeasures 
development. 

•  Anti-tamper  enables  foreign  military 
sales  to  be  consummated  with  greater 
confidence  that  U.S.  technologies  will 
not  be  compromised. 


•  Anti-tamper  reduces  the  burden  on  the 
taxpayer  by  helping  to  sustain  U.S. 
technological  advantages. 


"FrorritKe  foregoing 
dsoussion  it  stioLdd 
be  dear  that  the 
inoorporation  of  AT 
techniques  provides 
significiint  benefits^" 


At  the  beginning  of  this  article  we 
postulated  a  speculative  future  scenario  in 
which  advanced  military  technology  was 
lost  into  enemy , 
hands  with  the 
distinct  prob¬ 
ability  that  it . 
would  soon  be 
compromised. 

Perhaps  some 
will  find  such  a  ' 
scenario  diffi¬ 
cult  to  accept  as  possible  or  likely.  For 
those  who  continue  to  resist  the  impera¬ 
tive  for  assessing  what  role,  if  any,  AT 
techniques  should  play  in  their  program, 
we  offer  up  this  historical  vignette. 

In  1915  during  World  War  I,  Anthony 
Fokker,  the  great  Dutch  aviation  pioneer, 
revolutionized  aerial  combat  when  he 
developed  a  synchronizing  system  to 
permit  a  forward-firing  machine  gun  to 
shoot  through  an  airplane’s  nose-mounted 
whirling  propeller  blades.  Prior  to 
Fokker’s  invention,  airmen  wishing  to 
engage  enemy  aircraft  were  forced  to 
armor  their  wooden  propellers  with  steel 
liners  and  risk  hitting  them  or  fire  their 
guns  over  the  top  or  to  the  side  of  the  air¬ 
craft,  which  was  much  less  accurate.  With 
Fokker’s  mechanism,  German  aircraft 
gained  the  advantage  over  the  Allies  and 
established  air  superiority. 

But  the  advantage  was  short-lived, 
because  soon  thereafter  a  German  pilot 
was  captured  with  his  aircraft  behind 
French  lines  when  he  became  lost  in  bad 
weather.  The  Allies  quickly  copied  the 
Fokker  mechanism  and  even  improved 
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upon  it  by  devising  a  hydraulic  synchro¬ 
nizer  that  interrupted  the  gun’s  firing 
pattern  so  bullets  were  prevented  from 
being  fired  when  a  blade  passed  through 
the  line  of  fire.  With  equivalent  capability 
in  hand,  the  Allies  quickly  reestablished 
parity  in  the  air  (Hildreth  and  Nalty,  1969). 

The  reality  of  exploitation  is  inescap¬ 
able.  It  is  supported  by  historical  prece¬ 


dent  and  current  threat  assessments.  Anti¬ 
tamper  technology  is  an  affordable  means 
to  provide  life-cycle  program  protection 
to  essential  or  critical  U.S.  military  tech¬ 
nologies.  Recently  established  DoD  policy 
mandates  that  program  managers  assess 
whether  AT  techniques  are  appropriate  for 
their  acquisition  programs,  be  they  new 
or  upgrades.  The  time  to  act  is  now. 
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